Friday, March 17, 2006

Use SMF with custom methods and dependencies to create Dynamic Ipfilter Rules for RPC Services.

Searching found a number of people withthe same questions and no good answers DarrenReed: SunRPC proxy,OpenSolarisForums in which Darren states "There is a proxy, of sorts, inthe IPFilter source code at present, but it is of questionableintegrity". Unfortunately questionableintegrity is right out in this environment.

A simple solution was implemented, astartup script was written by Borgan Chu to parse rpcinfo-p and create ipfilter rules to allow traffic from thedesired source addresses to the dynamic rpc service port. The scriptuses a configuration file withthe following syntax, similar to the syntax of hosts.allow/hosts.deny.

The previous code acknowledged one Majorproblem. The script only runs at boot, any restart of rpcbind an rpcservice could result in different port assignment invalidating theprevious rules. From an operational standpoint I pictured repeatedlytroubleshooting the same issue: A service mysteriously stops working,Tier 2 Engineers look into the problem and find that theservice is running and can be reached locally and possibly from otherhosts but not from the problem host.

One other issue with the script wasapparent to me, future manual script execution would continue to addentries to the rules with no way to clean up without flushing theexiting rule set. This required a change to both the script and thedefault ipf.conf rules. With the following changesthe script supports both a stop and start method, as well as creatingslightly different rules.

New base ipf rules:

# Allow Dynamic RPC entries

pass in on bge0 all head 100

# useless rule to allow for deletion of all inbound dynamic pass rules

The major problem of maintaining dynamicrules can be resolved using SMF,creating a service for our ipf rules script with require_all dependencieson ipfilter causes the new service to run only when ipfilter is enabled.

dependency require_all/refresh svc:/network/ipfilter:default (online)

dependency require_any/refreshsvc:/network/rpc/bind:default (online)

The execution can be further tuned by creating require_anydependencieson various rpc services.

svcs "*rpc*"

After the manifest is loaded the properties of the service can be bulkupdated to cover most standard rpc services with the following command, or manually updated to require_anyother specific rpc services.

Any IPF rules that are actively in use when the service restarts or is disabled are not removed. That particular aspect is not an issue for us as it is assumed that if the rule is in use the service is still listening.